proxmark3 icon indicating copy to clipboard operation
proxmark3 copied to clipboard
verified publisher icon RfidResearchGroup

Failed to clone EM4102 to Hitag S/82xx tag after first successful write on F8310 tag

Open sleepwalkera opened this issue 9 months ago • 2 comments

Describe the bug When cloning EM4102 to Hitag S/82xx (F8310) tags, the first write succeeds but subsequent writes to the same tag fail with "Something went wrong in step 0". The tag becomes effectively read-only after initial programming.

[+] Preparing to clone EM4102 to Hitag S/82xx tag with EM Tag ID 0A004EEC71 (RF/64)
[=] Encoded to FF 82 80 02 7B DC 3C 68 
[!] ⚠️  Something went wrong in step 0

To Reproduce Steps to reproduce the behavior:

  1. Place fresh F8310 tag on antenna
  2. Run: lf em 410x clone --id [SOME_ID] --hts (success)
  3. Run: lf em 410x clone --id [ANY_NEW_ID] --hts (fails)
  4. Observe step 0 error on subsequent attempts

Expected behavior The command should allow rewriting the same Hitag S/82xx tag multiple times with different EM4102 IDs, just like the initial successful write.

Additional context Tested with latest v4.20469 Tag remains readable after failed writes (retains first-written ID)

[usb] pm3 --> lf search

[=] Note: False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[+] EM 410x ID 0F0368568B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : F0C0166AD1
[=] HoneyWell IdentKey
[+]     DEZ 8          : 06837899
[+]     DEZ 10         : 0057169547
[+]     DEZ 5.5        : 00872.22155
[+]     DEZ 3.5A       : 015.22155
[+]     DEZ 3.5B       : 003.22155
[+]     DEZ 3.5C       : 104.22155
[+]     DEZ 14/IK2     : 00064481678987
[+]     DEZ 15/IK3     : 001034014845649
[+]     DEZ 20/ZK      : 15001200010606101301
[=] 
[+] Other              : 22155_104_06837899
[+] Pattern Paxton     : 259822731 [0xF7C948B]
[+] Pattern 1          : 9750181 [0x94C6A5]
[+] Pattern Sebury     : 22155 104 6837899  [0x568B 0x68 0x68568B]
[+] VD / ID            : 015 / 0057169547
[+] Pattern ELECTRA    : 3843 6837899
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] UID.... 96E1B54D
[+] TYPE... Probably not NXP Hitag S
[+] Chipset detection: Hitag 1/S / 82xx
[?] Hint: Try `lf hitag hts` commands
[usb] pm3 --> lf hitag hts reader
[+] UID.... 96E1B54D
[usb] pm3 --> lf hitag hts list
[+] Recorded activity ( 23 bytes )
[=] start = start of start frame. end = end of frame. src = source of transfer.
[=] Hitag 1 / Hitag 2 / Hitag S / Hitag µ - Timings in ETU (8us)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        134 | Rdr | 5: 19                                                                   |     | UID Request (Advanced 11000)
        358 |       2645 | Tag |32: 96  E1  B5  4D                                                       |  !! | UID: [96E1B54D]

sleepwalkera avatar Jun 14 '25 16:06 sleepwalkera

Usually, the problem of only being able to write once occurs when the key atuh is enabled due to incorrect activation of the aut bit. Or perhaps the key was mistakenly changed due to the data being written.

xianglin1998 avatar Nov 22 '25 03:11 xianglin1998

if you can hunt down in the source code when the `lf em 410x clone --id <> --hts" happens you can see if the configuration block is changed too. or if a pwd/key is set.

iceman1001 avatar Nov 26 '25 04:11 iceman1001